USB: cdc-wdm: fix race leading leading to memory corruption

This patch fixes a race whereby a pointer to a buffer
would be overwritten while the buffer was in use leading
to a double free and a memory leak. This causes crashes.
This bug was introduced in 2.6.34

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Tested-by: Bjørn Mork <bjorn@mork.no>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index c6f6560d436c..0bb2b3248dad 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -157,8 +157,9 @@ static void wdm_out_callback(struct urb *urb)
         spin_lock(&desc->iuspin);
         desc->werr = urb->status;
         spin_unlock(&desc->iuspin);
-        clear_bit(WDM_IN_USE, &desc->flags);
         kfree(desc->outbuf);
+        desc->outbuf = NULL;
+        clear_bit(WDM_IN_USE, &desc->flags);
         wake_up(&desc->wait);
 }
 
@@ -338,7 +339,7 @@ static ssize_t wdm_write
         if (we < 0)
                 return -EIO;
 
-        desc->outbuf = buf = kmalloc(count, GFP_KERNEL);
+        buf = kmalloc(count, GFP_KERNEL);
         if (!buf) {
                 rv = -ENOMEM;
                 goto outnl;
@@ -406,10 +407,12 @@ static ssize_t wdm_write
         req->wIndex = desc->inum;
         req->wLength = cpu_to_le16(count);
         set_bit(WDM_IN_USE, &desc->flags);
+        desc->outbuf = buf;
 
         rv = usb_submit_urb(desc->command, GFP_KERNEL);
         if (rv < 0) {
                 kfree(buf);
+                desc->outbuf = NULL;
                 clear_bit(WDM_IN_USE, &desc->flags);
                 dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
         } else {